easy--deals3.exe

Nfzgk

Nboohytr

The application easy--deals3.exe has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from cdn77.airdwnlds.com and multiple other hosts.
Publisher:
Nboohytr

Product:
Nfzgk

Description:
Zgvudzjwi

Version:
25.2.25.14

MD5:
7f03bfc8f42feaf1f11085bb30c793d6

SHA-1:
632659dcc19898c34df0dd7ade2985e5cf2efdd8

SHA-256:
de909e143a0150cf8a939f6296bb496b6b7cfb186c12f945c01b283fa26cce06

Scanner detections:
14 / 68

Status:
Adware

Explanation:
This is part of the Crossrider Internet browser extension framework which may modify the user's web browser settings including changing the home and search pages.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:
11/5/2024 8:32:17 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.MulDrop
14.04.07

Dr.Web
Trojan.Crossrider.7946
9.0.1.097

ESET NOD32
Win32/Packed.ScrambleWrapper (variant)
8.9643

Fortinet FortiGate
Adware/Agent
4/7/2014

IKARUS anti.virus
not-a-virus:AdWare.Win32.Agent
t3scan.2.2.29

K7 AntiVirus
Trojan
13.176.11663

Kaspersky
not-a-virus:AdWare.Win32.Agent
14.0.0.4053

McAfee
Artemis!7F03BFC8F42F
5600.7168

Reason Heuristics
PUP.Downloader.Nboohytr.M
14.5.13.5

Sophos
Generic PUA GD
4.98

Trend Micro House Call
TROJ_GEN.F47V0328
7.2.97

Vba32 AntiVirus
AdWare.Agent
3.12.26.0

VIPRE Antivirus
Trojan.Win32.Generic
28102

File size:
6.2 MB (6,466,391 bytes)

Copyright:
Rgusqp

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\easy--deals3.exe

File PE Metadata
Compilation timestamp:
12/4/2012 11:55:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
98304:8XSUTkKOy5xV7axzfpVpQt4kdyWsnByXLy7bRowrXySxoUTPhIRkPUbD9I3V:8X7TWyjxmzfp8RdwngLOVx/DsNu

Entry address:
0x4323

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The file easy--deals3.exe has been seen being distributed by the following 2 URLs.

http://cdn77.airdwnlds.com/downloads/offers/.../easy--deals3.exe

Remove easy--deals3.exe - Powered by Reason Core Security